Is my code safe from SQL injections? #973
-
I'm passing user provided text directly to Piccolo ORM query. Is the class UploadController(Controller):
path = "/uploads"
@get(cache=120)
async def get_uploads(
self,
p: Annotated[int, Parameter(default=1, gt=0)] = 1,
t: str | None = None,
ut: UploadType | None = None,
c: Class | None = None,
s: Subject | None = None,
st: Stream | None = None,
) -> list[dict]:
query = (
Upload.objects()
.offset((p - 1) * 10)
.limit(10)
.order_by(
Upload.created_at,
ascending=False,
)
)
if t is not None:
query.where(Upload.title.ilike(f"%{t}%")) |
Beta Was this translation helpful? Give feedback.
Answered by
sinisaos
Mar 29, 2024
Replies: 1 comment 1 reply
-
@AmazingAkai Yes it does. Here are the docs for that. If you are using raw sql queries, you should always parameterize all values using curly braces await YourTable.raw('select * from yourtable where name = {}', 'something') Hope that helps. |
Beta Was this translation helpful? Give feedback.
1 reply
Answer selected by
AmazingAkai
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@AmazingAkai Yes it does. Here are the docs for that. If you are using raw sql queries, you should always parameterize all values using curly braces
{}
as placeholders like thisHope that helps.